<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Password hashes</title>
        <link rel="stylesheet" type="text/css" href="./css/markdown.css" />
    </head>
    <body>

    <div id="navigation">
    <a href="https://www.iredmail.org" target="_blank">
        <img alt="iRedMail web site"
             src="./images/logo-iredmail.png"
             style="vertical-align: middle; height: 30px;"
             />&nbsp;
        <span>iRedMail</span>
    </a>
    &nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><div class="admonition note">
<p class="admonition-title">This tutorial is available in other languages. <a href="https://github.com/iredmail/docs">Help translate more</a></p>
<p><a href="./password.hashes-zh_CN.html">简体中文</a> /</p>
</div>
<h1 id="password-hashes">Password hashes</h1>
<div class="admonition attention">
<p class="admonition-title">Attention</p>
<p>Check out the lightweight on-premises email archiving software developed by iRedMail team: <a href="https://spiderd.io/">Spider Email Archiver</a>.</p>
</div>
<div class="toc">
<ul>
<li><a href="#password-hashes">Password hashes</a><ul>
<li><a href="#password-hashes-supported-by-iredmail">Password hashes supported by iRedMail</a></li>
<li><a href="#default-password-schemes-used-in-iredmail">Default password schemes used in iRedMail</a></li>
<li><a href="#how-to-use-different-password-hashes-in-iredmail">How to use different password hashes in iRedMail</a><ul>
<li><a href="#for-mysql-and-postgresql-backends">For MySQL and PostgreSQL backends</a></li>
<li><a href="#for-openldap-backend">For OpenLDAP backend</a></li>
</ul>
</li>
<li><a href="#see-also">See also</a></li>
</ul>
</li>
</ul>
</div>
<h2 id="password-hashes-supported-by-iredmail">Password hashes supported by iRedMail</h2>
<p>iRedMail configures Postfix to use Dovecot as SASL authenticate server, so all
password schemes supported by Dovecot can be used in Postfix. Please refer to
Dovecot wiki page
<a href="https://doc.dovecot.org/configuration_manual/authentication/password_schemes/"><code>Password Schemes</code></a>
for more details.</p>
<p>Below password schemes are supported in iRedAdmin-Pro (which means you can add new mail user with either one):</p>
<ol>
<li>SSHA512. e.g. <code>{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=</code></li>
<li>BCRYPT. e.g. <code>{CRYPT}$2a$05$TKnXV39M3uJ4o.AbY1HbjeAval9bunHbxd0.6Qn782yKoBjTEBXTe</code></li>
<li>SSHA. e.g. <code>{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD</code></li>
<li>
<p>MD5 (salted). For example:</p>
<ul>
<li>with a prefix: <code>{CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
<li>without a prefix: <code>$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
</ul>
<p><strong>Important note</strong>: SOGo groupware doesn't support MD5 without a prefix, so
if you're going to migrate MD5 password hash from old mail server, please
prepend <code>{CRYPT}</code> prefix in password hash.</p>
</li>
<li>
<p>PLAIN-MD5 (without a salt). e.g. <code>0d2bf3c712402f428d48fed691850bfc</code></p>
</li>
<li>Plain text. e.g. <code>123456</code></li>
</ol>
<p><strong>WARNING</strong>: MD5, PLAIN-MD5 and plain password are weak, please don't use them.</p>
<p><strong>NOTES</strong>:</p>
<ul>
<li><code>BCRYPT</code> is only available on BSD systems, because <code>libc</code> shipped in Linux
  doesn't support bcrypt.</li>
</ul>
<h2 id="default-password-schemes-used-in-iredmail">Default password schemes used in iRedMail</h2>
<ul>
<li>
<p>For MySQL and PostgreSQL backends:</p>
<ul>
<li>in iRedMail-0.9.0 and later versions: <code>SSHA512</code></li>
<li>in iRedMail-0.8.7 and earlier versions: <code>salted MD5</code></li>
</ul>
</li>
<li>
<p>For LDAP backends:</p>
<ul>
<li>in iRedMail-0.9.5 and later versions:<ul>
<li>Debian 8, Ubuntu 16.04, FreeBSD: <code>SSHA512</code></li>
<li>RHEL/CentOS 6/7, Ubuntu 14.04, OpenBSD: <code>SSHA</code>. OpenLDAP package
  shipped in these distributions don't support SHA-2 password
  verification by default.</li>
</ul>
</li>
<li>in iRedMail-0.9.4 and earlier versions: <code>SSHA</code>.</li>
</ul>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>OpenLDAP's builtin password verification doesn't support SHA-2 password
hash formats directly, so if you have third-party applications which need
OpenLDAP's builtin password verification, you'd better use <code>SSHA</code> hash.</p>
<p>If you don't have such concern, it's ok to store <code>SSHA512/BCRYPT</code>
hash as mail user password, then set <code>ldap_bind = no</code> in
<code>/etc/dovecot/dovecot.conf</code>. SMTP/IMAP/POP3 services work with it, but
Apache basic auth doesn't.</p>
</div>
</li>
</ul>
<h2 id="how-to-use-different-password-hashes-in-iredmail">How to use different password hashes in iRedMail</h2>
<h3 id="for-mysql-and-postgresql-backends">For MySQL and PostgreSQL backends</h3>
<p>All mail users are stored in SQL table <code>vmail.mailbox</code>, user password is stored
in SQL column <code>mailbox.password</code>. For example (Note: you should replace <code>xx@xx</code>
with your real email address):</p>
<pre><code>sql&gt; USE vmail;

sql&gt; UPDATE mailbox SET password='$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250' WHERE username='xx@xx';
sql&gt; UPDATE mailbox SET password='{SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD' WHERE username='xx@xx';
sql&gt; UPDATE mailbox SET password='{SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs/lIH2Qxn2eA0jygXtBhMvRi7GNFmL++6aAZ0kXpcy1fxag=' WHERE username='xx@xx';
</code></pre>
<ul>
<li>To store PLAIN-MD5, you have to prepend <code>{PLAIN-MD5}</code> in your password hash:</li>
</ul>
<pre><code>sql&gt; USE vmail;
sql&gt; UPDATE mailbox SET password='{PLAIN-MD5}0d2bf3c712402f428d48fed691850bfc' WHERE username='xx@xx';
</code></pre>
<ul>
<li>To store plain password, you have to prepend <code>{PLAIN}</code>:</li>
</ul>
<pre><code>sql&gt; USE vmail;
sql&gt; UPDATE mailbox SET password='{PLAIN}123456' WHERE username='xx@xx';
</code></pre>
<h3 id="for-openldap-backend">For OpenLDAP backend</h3>
<p>User password is stored in attribute <code>userPassword</code> of user object.</p>
<ul>
<li>To store plain password, SSHA, SSHA512 password hash, just store them in
original format. For example:</li>
</ul>
<pre><code>userPassword: 123456
userPassword: {SSHA}OuCrqL2yWwQIu8a9uvyOQ5V/ZKfL7LJD
userPassword: {SSHA512}FxgXDhBVYmTqoboW+ibyyzPv/wGG7y4VJtuHWrx+wfqrs...
</code></pre>
<ul>
<li>To store standard MD5 password (salted MD5 hash), please prepend <code>{CRYPT}</code>
(case insensitive) in your password hash. For example:
<code>userPassword: {CRYPT}$1$GfHYI7OE$vlXqMZSyJOSPXAmbXHq250</code></li>
</ul>
<p><strong>IMPORTANT NOTE</strong>: If you want to input password hash with phpLDAPadmin,
please choose <code>clear</code> in the password hash list, then input password hash.</p>
<h2 id="see-also">See also</h2>
<ul>
<li><a href="./reset.user.password.html">Reset user password</a></li>
</ul><div class="footer">
    <p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">GitHub repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div></body></html>